Mobile Threat Blog

Share

Android Security Update – May 2017

On May 1, 2017 Google released an Android Security Bulletin containing details of security vulnerabilities affecting Android devices. Android security updates normally include two parts: general updates that affect most users and the updates affecting specific partners, such as hardware partners like NVIDIA, Broadcom and Qualcomm, and security updates. Here we’ve summarized the general security updates on the Android Security bulletin from Security Patch level 2017-05-01.

6 Remote Code Execution Vulnerabilities: These types of vulnerabilities allow attackers to execute arbitrary codes on user devices. All of them are found in Mediaserver and considered critical, since they cause memory corruptions during media file and data processing.

6 Privilege Escalation Vulnerabilities: This type of vulnerability allows unprivileged processes, such as from third-party apps, to escalate privileges to the system-level bypassing the sandbox restrictions. Five are considered as high impact and one is considered as medium impact. These vulnerabilities are found in framework API, media server, audio server and bluetooth.

4 Information Disclosure Vulnerabilities: These vulnerabilities allow malicious apps to access user data. One is rated as high impact as its exploit can bypass an operating system protection called sandboxing which isolates an application’s data from other applications to limit the damage done by a bad app. The rest are considered medium impact. The vulnerabilities are found in framework API, bluetooth, file-based encryption and OpenSSL & BoringSSL.

4 Denial of Service Vulnerabilities: These types of vulnerabilities disable a user’s ability to use the phone or access certain services. Two are considered high impact since an attack may remotely reboot or hang the devices. One is considered as medium impact and one is considered as low impact. All of them are found in Mediaserver.

Appthority urges users to update their Android devices to the latest OS version which includes these security updates. We also recommend enterprise IT admins set strong policies against keeping outdated OS versions on their employee’s mobile devices.